Domain 1 :Explain the importance of using appropriate cryptographic solution Flashcards
Public Key Infrastructure (PKI)
foundation of security comprising public and private keys, certificates, and key escrow mechanisms. Encryption, a cornerstone of information protection, comes in various forms, including full-disk, file, and database encryption, which are bolstered by tools such as Trusted Platform Modules (TPMs) and Hardware Security Modules (HSM
Public key
The role of the public key is to encrypt data and validate digital signatures.
What is the public key encryption standard?
To identify a public key, the format (also known as the Public-Key Cryptography Standards (PKCS) of the public key) is P7b and the file extension is .cer. The file serves as a form of digital “identity proof,” much like a physical certificate (such as an award or diploma).
Private Key
The primary function of the private key is decryption.
Often stored in digital or hardware-based cryptographic devices, it’s shielded behind layers of security measures, such as strong passwords and biometric authentication
Key escrow
Key escrow is a trusted third party responsible for securely storing copies of cryptographic keys
Hardware Security Module (HSM)
is a specialized (has to be bought) hardware device designed to provide robust security measures for the management and protection of cryptographic keys, sensitive data, and cryptographic operations
Encryption level
The encryption level relates to the robustness and intricacy of both the encryption algorithm and the cryptographic key employed to safeguard sensitive information.
Full disk encryption
FDE is a robust security measure designed to protect the data stored on a computer’s hard drive or Solid-State Drive (SSD). It accomplishes this by encrypting the entire storage device, making it unreadable without the appropriate decryption key. One of the key components that can enhance the security of FDE is a Trusted Platform Module (TPM) chip where the keys can be stored
File encryption
Each individual document, image, or spreadsheet becomes a treasure chest of encrypted secrets. Unauthorized access results in mere jumbles of characters, rendering stolen files unreadable and inconsequential.
Volume encryption
BitLocker’s integration with the TPM introduces a robust layer of security, enhancing the process of volume-level encryption. By utilizing the TPM chip, BitLocker ensures the integrity of a system’s boot process and authentication mechanisms - Volume encryption offers you the choice to encrypt different volumes
Bitlocker
Windows encryption technology that protects your data from unauthorized access by encrypting your drive and requiring one or more factors of authentication before it will unlock it.
TLS encryption steps
Handshake: The sender and receiver initiate a handshake, during which they agree on encryption parameters, exchange cryptographic keys, and authenticate each other’s identity.
Encryption: Once the handshake is complete, the actual data transmission begins. The data is encrypted using symmetric encryption keys, ensuring that only the authorized recipient possesses the means to decipher it.
Transmission: The encrypted data traverses the internet’s various networks and routers, shielding it from prying eyes and potential eavesdroppers.
Decryption: Upon reaching the intended recipient, the data is decrypted using the same symmetric key. This process ensures that only the recipient can access the original, meaningful information.
Secure Sockets Layer (SSL)
serves as a secure communication protocol that establishes a safe and encrypted connection between two communicating systems. It works with the standard TCP/IP protocol, acting as a protective shield for the data being transmitted. One use case is HTTPS for web browsing.
Homomorphic encryption:
Homomorphic encryption is a groundbreaking cryptographic technique that enables data to be processed and manipulated without the need for decryption. In traditional encryption methods, data must be decrypted before any computation can take place, which exposes the sensitive information to potential security risks. However, homomorphic encryption offers a revolutionary approach that allows computations to be performed directly on encrypted data, maintaining its confidentiality throughout the entire process.
Key longevity
Key longevity refers to the duration over which cryptographic keys remain secure and effective in protecting sensitive data, making it imperative to periodically update keys to stay ahead of potential security threats. This is typically between one to two years.
Key exchange
Key exchange is the art of securely delivering cryptographic keys from sender to receiver. We cannot encrypt data without performing a public key exchange first.
asymmetric encryption examples
Examples of asymmetric algorithms include RSA, Diffie–Hellman, and Elliptic Curve Cryptography (ECC).
Key length
The length of cryptographic keys is the measure of their resistance against attacks. A key’s length directly affects the complexity of deciphering encrypted data. Longer keys equate to more formidable defenses due to complexity. In a world of rapidly advancing computational power, key length becomes a crucial factor in thwarting malicious attempts.
TPM
A TPM is a hardware-based security component integrated into computers and devices. It generates, stores, and manages cryptographic keys in a secure environment. A TPM ensures the integrity of system boot processes, offers hardware-based authentication, and supports encryption tasks. It’s used to enhance system security by safeguarding cryptographic keys and enabling secure device bootups
Secure enclave
A secure enclave is a hardware-based security feature found in modern processors, such as Apple’s T2 chip. It provides a separate and isolated environment for secure operations, such as storing sensitive data and executing cryptographic operations. Secure enclaves are used to protect user data, biometric information, and cryptographic keys from potential software-based attacks.
Obfuscation
Obfuscation involves deliberately making code, data, or information more complex and difficult to understand.
Stenography
Imagine secret messages concealed within innocent-looking envelopes. Steganography operates on this principle, allowing sensitive information to be hidden within seemingly innocuous data, such as images or audio files.
Tokenization
Tokenization acts as a digital locksmith, transforming sensitive data into unique tokens that hold no inherent value.
Data masking
Data masking, akin to wearing a mask for anonymity, involves disguising sensitive data by replacing original values with fictitious ones
Hashing
A hash value is a condensed representation of input data generated by a hash function. It appears as a seemingly random string of characters, regardless of the original data’s size.
-One way function
Hashing algorithm’s
, two of the most common of which are SHA1 (160-bit) and MD5 (128-bit).
Salting
In the context of cybersecurity, “salting” refers to the technique of adding random data (or a “salt”) to passwords before they are hashed and stored
Benefits of Hashing
Data integrity: Hashing can help you ensure your data has not been altered in any way. If you hash a file before you download it from the internet and hash it afterward and the file remains the same, then data integrity has been maintained. If it does not, the file has been tampered with.
Password security: Hashing is a one-way function that turns passwords into unbreakable codes using complex rules. Hackers might try to crack the code, but the intricate design of hashing makes it incredibly difficult, like getting lost in a maze without being able to find the way out. This clever encryption keeps passwords safe, creating a world where the real password stays hidden, wrapped in a cloak of complexity
Digital signatures
digital signature is an electronic equivalent of a handwritten signature in that it is uniquely tied to the signer and the content being signed
Key stretching
Key stretching is a cryptographic technique designed to transform a password into a longer, more complex key. The objective is to slow down the process of deriving the original password, making it computationally infeasible for attackers to break into a system by brute force or dictionary attacks.
Key stretching methods
Password-Based Key Derivation Function 2 (PBKDF2): This widely used method iterates through a hash function multiple times, effectively slowing down the key derivation process
Bcrypt: Specifically designed to address password hashing, Bcrypt incorporates salt and multiple rounds of hashing to amplify the time required for each iteration
Blockchain
This digital ledger thrives on data batches called blocks that are distributed across countless computers, a strategy that ensures security through decentralization.
Blockchain can record financial, medical, and property transactions. Each block holds data and hashes, forming a chain within this distributed public ledger. To add a block, a computer cracks a puzzle, signaling readiness to the network, which is a process known as proof of work
Public ledger
The open public ledger is a foundational element of blockchain systems. It’s essentially a digital record of all transactions that have ever occurred within the blockchain network.
consensus mechanism
To maintain the accuracy and integrity of the ledger, consensus mechanisms such as proof of work or proof of stake are employed. These mechanisms ensure that the network participants agree on the legitimacy of transactions before they are added to the ledger.
Certificate Authorities (CAs)
In today’s digital era, trust is the bedrock of secure online interactions. CAs take center stage as guardians of authenticity. They validate digital identities using cryptographic keys, ensuring the websites we visit and the data we share are genuine. At the core of this process lies the root key, which is used to sign certificates.
Online CA
Online CAs swiftly verify keys in real time, matching the pace of the digital world
Offline CA
Offline CAs prioritize security by working in isolated environments, away from online threats
CRLs
These lists contain the serial numbers of certificates that have been revoked, compromised, or expired.
OSCP
The OCSP addresses some of the shortcomings of CRLs, one of which is its speed. OCSP is comparatively much faster. While CRLs could spend time downloading a potentially large list, OCSP enables real-time certificate validation by allowing systems to query the CA’s server directly
Self signed Certificates
A self-signed certificate is a digital certificate that is generated and signed by the same entity it is issued to. Unlike certificates issued by trusted third-party CAs, self-signed certificates are not verified by an external authority. This means that the entity creating the certificate is attesting to its own identity without any external validation. Self-signed certificates can be placed on multiple internal servers.
Digital Certificate
A digital certificate is a file or electronic password that proves the authenticity of a device, server, or user through the use of cryptography and the public key infrastructure (PKI). Digital certificate authentication helps organizations ensure that only trusted devices and users can connect to their networks.
Certificate Signing Request (CSR) generation
When an individual or organization seeks to obtain a digital certificate from a trusted CA, they generate a CSR. This file encapsulates essential details such as the entity’s name, domain, and a public key.
Wildcard
For a wildcard certificate for a domain called securityplus.training, the wildcard certification would be *.securityplus.training on multiple public-facing web servers. A single wildcard certificate can be installed on multiple servers within the same domain, thereby reducing the cost of purchasing multiple certificates.
SPF
SPF is another email authentication mechanism. It checks whether the sender’s IP address is authorized to send mail on behalf of a particular domain
PGP
With PGP, emails are encrypted end to end, meaning only the intended recipient can unlock and decipher the content, even if it is intercepted during transit.
S/MIME
This uses Public Key Infrastructure (PKI) to either encrypt emails or digitally sign emails to prove the integrity of the message
Uniterruptible Power Supply
Uninterruptible Power Supply (UPS): A UPS is an electrical device used to provide backup power to connected equipment or devices during power outages or fluctuations in the electrical supply. It is designed to keep the system going only for a few minutes to allow the server team to close the servers
Power Distribution Units (PDUs
PDUs serve as a frontline defense, effectively mitigating power spikes, blackouts, and brownouts to safeguard your critical equipment and data. Their primary function is to maintain a balanced distribution of power, guard against the perils of overload and overheating, and thereby enhance the safety and longevity of connected equipment. Additionally, PDUs can be used to remotely monitor power consumption, providing valuable insights into energy usage patterns.
What type of device could suffer an ARP attack?
A switch (because it works with MAC addresses
What kind of records are created by DNS poisoning, and how can we prevent this attack?
DNS poisoning creates RRSIG records and can be prevented using DNSSEC
Buffer Overflow
Too much data in a field, overwrite adjacent memory
SQL injectivie
Database attack look for SELECT* or 1=1
SWITCH
A switch is an internal network device that links all machines in the local area network (LAN), see the following figure), maintaining a table known as Content Addressable Memory (CAM) with MAC addresses to identify connected hosts.
Routers
A router is a device used to connect two different networks when setting up a host machine, known as the default gateway. It is used by your company to give you access to other networks—for example, the internet. It has a routing table built into it, so it knows which route can be used to deliver network packets. The router is the IP equivalent of a post office sending letters around the world, but instead of letters, IP packets are transporte
Where is account information stored in Linux machines
/etc/passwd, which contains basic information about user accounts, and /etc/shadow, which contains the password information. Only the administrator
NT Lan Manager (NTLM
s a legacy authentication protocol and a predecessor to Kerberos that stores passwords using the MD4 hash (which is very easy to crack). It was consequently susceptible to pass-the-hash attacks
Server Message Block Port
Server message block port 445
Modern file and print services
FIPS US Government Standards/Guidelines
: These are a set of standards and guidelines developed by NIST for the U.S. federal government. They serve as the foundation upon which secure and reliable computer systems are built
Bridge
A bridge is a network device that connects multiple subnetworks to create a single network
DDNS
Dynamic DNS (DDNS) is an extension of DNS that automatically updates IP addresses associated with domain names in real time. It expands the capabilities of DNS. With DDNS, organizations and individuals can maintain connectivity and accessibility even in dynamic IP address environments.
active-passive configuration Loadbalancer
active-passive configuration, the server load balancer recognizes a failed node and redirects traffic to the next available node.
active-active configuration Loadbalancer
Active-active clusters: Client machines connect to a load balancer that distributes their workloads across multiple active servers. Active-passive clusters: Client machines connect to the main server, which handles the full workload, while a backup server remains on standby, only activating in the event of a failure.
